b"August 2008\nReport No. AUD-08-014\n\n\nFDIC\xe2\x80\x99s Controls Over the CAMELS\nRating Review Process\n\n\n\n\n            AUDIT REPORT\n\x0c                                                              Report No. AUD-08-014                                                 August 2008\n\n                                                              FDIC\xe2\x80\x99s Internal Controls Over the CAMELS\n                                                              Rating Review Process\n            Federal Deposit Insurance Corporation\n                                                              Audit Results\n  Why We Did The Audit                                        The FDIC has established and implemented internal controls for reviewing draft risk\n                                                              management ROEs, including the supervisory review of proposed CAMELS ratings.\n  The audit objective was to assess the internal controls\n  the FDIC has established over the CAMELS rating\n                                                              Also, DSC has established a process for resolving disagreements between the EIC\n  system for reviewing and changing proposed ratings          and Case Manager (CM) with respect to changes to proposed CAMELS ratings.\n  included in draft risk management Reports of                The resolution process includes maintaining an open dialogue between the EIC and\n  Examination (ROE). The six components of the                CM and requiring the CM to bring unresolved differences to the attention of the\n  CAMELS rating system address the adequacy of                Regional Director, or designee, for resolution prior to completion of the draft ROE\n  Capital, the quality of Assets, the capability of           review. However, review procedures do not require that changes to proposed\n  Management, the quality and level of Earnings, the          CAMELS ratings, agreed to by the EIC, be documented or justified.\n  adequacy of Liquidity, and the Sensitivity to market\n  risk. A rating of 1 through 5 is given, with 1 having the   Further, we found that none of the six DSC regions centrally maintains a record of\n  least regulatory concern and 5 having the greatest\n  concern.\n                                                              all of the CAMELS ratings changes or documentation justifying and approving\n                                                              changes to EIC-proposed ratings. Consequently, the regions and DSC headquarters\n  The audit focused on the Division of Supervision and        are not able to track or monitor changes to ratings resulting from the ROE review\n  Consumer Protection\xe2\x80\x99s (DSC) field and regional office       process. Due to the absence of such centrally-maintained records, we were not able\n  processes for reviewing proposed CAMELS ratings             to determine the frequency of, or justification and approval for, changes to EIC-\n  from the point at which the FDIC Examiner-in-Charge         proposed ratings.\n  (EIC) has notified the financial institution of the\n  proposed ratings and has electronically submitted the       However, two regions did maintain records that were useful. Specifically, the\n  draft ROE for supervisory review. We focused on these       FDIC\xe2\x80\x99s New York Regional Office uses a form entitled, ROE Tracking Log For All\n  control processes because once the institution receives\n  its proposed CAMELS ratings, subsequent changes\n                                                              Reports of Examination, which serves as a cover sheet for the draft ROE and\n  should be justified and approved to help ensure the         contains various information regarding the processing of the ROE, including the\n  changes are adequately supported.                           EIC\xe2\x80\x99s proposed CAMELS component and composite ratings. Two examples\n                                                              provided by the regional office showed evidence of CAMELS rating changes\xe2\x80\x94\n                                                              specifically, the hand-written revised rating. According to New York regional\n  Background                                                  personnel, the tracking forms are maintained in the region\xe2\x80\x99s individual examination\n  The FDIC is the primary federal regulator for over\n                                                              files. Nevertheless, the region does not centrally track information on ratings\n  5,200 state-chartered institutions. DSC conducts risk       changes for monitoring purposes even though evidence of ratings changes appears\n  management examinations of FDIC-supervised                  to exist at the regional office. Further, the tracking forms do not document the\n  financial institutions. The objective of an examination     justifications for the changes. Additionally, DSC\xe2\x80\x99s San Francisco Regional Office\n  is to help ensure a financial institution\xe2\x80\x99s safety and      personnel told us that they use a similar form, the Examination Log Sheet, to record\n  soundness and to minimize the degree of risk exposure       information regarding the processing of the ROE and that the form may be\n  presented to the banking system and Deposit Insurance       annotated to reflect a rating change. However, the one example provided to us did\n  Fund.                                                       not show evidence of a rating change.\n  As part of each risk management examination, proposed\n  examination ratings are assigned by examiners in the\n                                                              Based on the results of our work, we concluded that DSC controls over changes to\n  draft ROE. Each financial institution is assigned a         EIC-proposed CAMELS ratings could be enhanced. Enhanced controls for tracking\n  composite rating based on an evaluation and rating of       and monitoring the justification and approval for CAMELS rating changes will\n  the six essential components (noted earlier) of an          better assure that senior management is informed of ratings changes and help ensure\n  institution's financial condition and operations.           the transparency and integrity of the ratings process.\n\n  CAMELS ratings serve a number of purposes within the\n  FDIC, including as input to the process of determining\n                                                              Recommendation and Management Response\n  deposit insurance premiums charged to financial\n  institutions. Poorly rated institutions are subject to      We recommended that DSC revise the Case Manager Procedures Manual to require\n  increased supervisory attention and potentially higher      that changes made to EIC-proposed CAMELS ratings in the draft ROE be centrally\n  deposit insurance premiums and may be precluded from        managed by DSC, including tracking, monitoring, and maintaining the documented\n  certain activity otherwise permitted by law or              justification and approval for changes. DSC generally agreed with our findings and\n  regulation. It is important, therefore, that the FDIC       offered alternative corrective actions, including formalizing the guidance to staff on\n  provide assurance to financial institutions that the        the required method for documenting unresolved differences related to final\n  CAMELS rating process is consistently implemented           CAMELS ratings and developing a method to track those instances. Depending on\n  and that institutions are treated equitably.\n                                                              the content of the DSC guidance, we agree that DSC actions can substantially meet\n  DSC\xe2\x80\x99s Case Manager Procedures Manual provides               the intent of our recommendation to help ensure process integrity and transparency.\n  procedures related to making changes to proposed            Nevertheless, we continue to believe that there is value in maintaining a record\n  CAMELS ratings.                                             when there are changes to an EIC-proposed rating even when the EIC does not\n                                                              ultimately contest that change, and we suggest that DSC also consider requiring\n                                                              such a record during the course of formalizing its guidance in this area.\nTo view the full report, go to www.fdicip.gov/2008reports\n\x0cContents                                            Page\n\n\nBACKGROUND                                            2\n  DSC Guidance                                        2\n\nRESULTS OF AUDIT                                      3\n\nINTERNAL CONTROLS OVER THE RATING REVIEW PROCESS      5\n\nINTERNAL CONTROLS OVER CHANGES TO PROPOSED CAMELS     5\nRATINGS\n  Conclusion                                          7\n  Recommendation on Improving Internal Controls       7\n\nCORPORATION COMMENTS AND OIG EVALUATION               8\n\n\nAPPENDICES\n  1. OBJECTIVE, SCOPE, AND METHODOLOGY                9\n  2. RISK MANAGEMENT EXAMINATION PROCESS             13\n  3. CORPORATION COMMENTS                            15\n 4. MANAGEMENT RESPONSE TO RECOMMENDATION            17\n 5. ACRONYMS USED IN THE REPORT                      18\n\x0cFederal Deposit Insurance Corporation                                                             Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                              Office of Inspector General\n\n\nDATE:                                     August 12, 2008\n\nMEMORANDUM TO:                            Sandra L. Thompson, Director\n                                          Division of Supervision and Consumer Protection\n\n\n\nFROM:                                     Russell A. Rau\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Controls Over the CAMELS Rating\n                                          Review Process\n                                          (Report No. AUD-08-014)\n\n\nThis report presents the results of our audit of the FDIC\xe2\x80\x99s CAMELS rating review\nprocess. 1 The Federal Financial Institutions Examination Council (FFIEC) 2 and state\nbanking agencies assign component and composite ratings based on the results of\nperiodic risk management examinations. The agencies use the CAMELS ratings as a\nsupervisory tool for uniformly evaluating the safety and soundness of financial\ninstitutions and identifying those institutions requiring special attention. The audit\nobjective was to assess the internal controls the FDIC has established over the CAMELS\nrating system for reviewing and changing proposed ratings included in the draft risk\nmanagement reports of examination (ROE).\n\nThe audit focused on the Division of Supervision and Consumer Protection\xe2\x80\x99s (DSC) field\nand regional office processes for reviewing proposed CAMELS ratings from the point at\nwhich the FDIC Examiner-in-Charge (EIC) has notified the financial institution of the\npreliminary ratings and has electronically submitted the draft ROE for supervisory\nreview. We focused on these control processes because once the institution receives its\nproposed CAMELS ratings, subsequent changes should be justified and approved to help\nensure adequate support for changes. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Appendix 1 of this\nreport discusses our audit objective, scope, and methodology in detail.\n\n1\n  The Uniform Financial Institutions Rating System (UFIRS) was adopted by the Federal Financial\nInstitutions Examination Council in 1979. Under the UFIRS, each financial institution is assigned a\ncomposite rating by a federal or state banking agency based on an evaluation and rating of six essential\ncomponents of an institution's financial condition and operations. These component factors address the\nadequacy of Capital, the quality of Assets, the capability of Management, the quality and level of Earnings,\nthe adequacy of Liquidity, and the Sensitivity to market risk (otherwise known as CAMELS). A rating of\n1 to 5 is assigned by the examiner, for each component factor and composite score, with 1 having the least\nregulatory concern and 5 having the greatest concern.\n2\n  The agencies comprising the FFIEC are the Board of Governors of the Federal Reserve System, FDIC,\nNational Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift\nSupervision.\n\x0cBACKGROUND\n\n    The FDIC is the primary federal regulator for about 5,200 state-chartered financial\n    institutions. Under section 10(d) of the Federal Deposit Insurance Act (FDI Act), the\n    FDIC, in conjunction with the states, is required to conduct on-site full-scope\n    examinations of each FDIC-supervised institution every 12-18 months, depending on\n    asset size and bank performance, to assess the safety and soundness of the institution.\n    The FDIC complies with this requirement by conducting risk management examinations,\n    the objective of which is to assess an institution\xe2\x80\x99s overall financial condition and identify\n    risks. (Appendix 2 of this report discusses the risk management examination process in\n    more detail.)\n\n    CAMELS ratings serve a number of purposes within the FDIC, including as input to the\n    process of determining deposit insurance premiums charged to financial institutions. The\n    FDIC also uses the ratings to indicate the safety and soundness of individual institutions,\n    to identify institutions requiring special supervisory attention, and to monitor industry\n    trends. Poorly rated institutions are subject to potentially higher deposit insurance\n    premiums and may be precluded from certain activities otherwise permitted by law or\n    regulation. Therefore, it is important that the FDIC be able to provide assurance to\n    financial institutions that the CAMELS rating process is consistently implemented and\n    that institutions are treated equitably.\n\n    Within DSC, the EIC has the primary responsibility for leading an examination team and\n    completing the risk management examination. At the conclusion of the examination\n    fieldwork, it is the EIC\xe2\x80\x99s responsibility to prepare a preliminary ROE documenting the\n    outcome of the risk management examination, including the proposed CAMELS\n    component and composite ratings for the financial institution. The EIC holds an exit\n    conference with the institution\xe2\x80\x99s senior management (and the board of directors, as\n    needed) to discuss the preliminary examination results and the CAMELS ratings. During\n    the exit conference, the EIC informs the bank officials that the CAMELS ratings are\n    subject to review and approval by FDIC management. Then, based on established\n    delegations of authority, 3 the EIC submits the preliminary ROE to more senior field or\n    regional management for final review and approval.\n\n\n    DSC Guidance\n\n    The primary guidance for conducting risk management examinations is contained in\n    DSC\xe2\x80\x99s Risk Management Manual of Examination Policies (Examination Manual). The\n    Examination Manual discusses the specific criteria for the six CAMELS components and\n    indicates that ROE comments should clearly support the corresponding ratings.\n    Additionally, the ROE contains a Confidential-Supervisory Section where information of\n    interest can be included for Case Managers (CM) or other field, regional, or Washington\n\n\n    3\n      The delegation of authority is the method by which authority is granted, to individuals holding a specific\n    position, for making decisions or obligations on behalf of the Corporation.\n\n                                                          2\n\x0c    office management. We were told that this section of the ROE could be used by the EIC\n    for indicating disagreements with CAMELS rating changes.\n\n    Additional examination-related guidance is contained in DSC\xe2\x80\x99s Case Manager\n    Procedures Manual (CM Manual). The CM Manual states that the regional office CM\n    will perform activities related to reviewing, analyzing, and processing ROEs. According\n    to the CM Manual, for those ROEs reviewed at the field office, the field supervisor (FS),\n    or designee, serves as the CM. The established delegations of authority determine who\n    may eventually review and sign the final ROE. ROE review procedures described in the\n    CM Manual include, among other things, the following:\n\n    \xe2\x80\xa2   Ensure the report has been completed in accordance with written ROE instructions\n        contained in the Examination Manual and Regional Directors (RD) Memoranda. If\n        the ROE is not prepared in accordance with these guidelines or the findings are\n        unclear, the CM should contact the EIC to resolve the differences. If ROE changes\n        are necessary, the CM should discuss the changes with the EIC prior to the final\n        processing of the ROE. Unresolved differences between the EIC, CM, and/or FS\n        must be brought to the attention of the RD, or designee, for resolution prior to\n        completion of the review.\n\n    \xe2\x80\xa2   Ensure the proposed CAMELS ratings are appropriate. If a CAMELS component or\n        composite rating change is considered, concurrence of the EIC should be sought. If\n        the EIC concurs with the change, the new rating should be reflected throughout the\n        ROE. If the EIC does not agree to change the originally proposed rating, the CM\n        (with approval of the RD or designee) will draft a memorandum to the file supporting\n        the rating change, with copies to the EIC and FS. The new rating should then be\n        reflected throughout the ROE. Bank management should be informed of the change\n        before DSC transmits the ROE to the bank.\n\n    \xe2\x80\xa2   Ensure the final electronic version of the report is posted to the Completed\n        Examinations folder in Microsoft Outlook for upload to the Interagency Examination\n        Repository, a facility used to store completed risk management examination data for\n        future review and download.\n\n\nRESULTS OF AUDIT\n\n    The FDIC has established internal controls for reviewing draft risk management ROEs,\n    including the supervisory review of proposed CAMELS ratings. Specifically, after the\n    EIC discusses tentative examination results and preliminary CAMELS ratings with the\n    financial institution\xe2\x80\x99s senior management, the EIC electronically submits the draft ROE\n    to the region. Then, based on established delegations of authority, the draft ROE is\n    submitted to either the FS, or designee, or to the regional office CM for review. Based on\n    our review of DSC\xe2\x80\x99s policies and procedures, discussions with field and regional office\n    officials, and limited testing, we concluded that controls related to the review of draft\n\n\n                                                3\n\x0cROEs were being implemented as intended (Internal Controls Over the Rating Review\nProcess).\n\nAlso, DSC has established a process for resolving disagreements between the EIC and\nCM with respect to changes to proposed CAMELS ratings in draft ROEs. The resolution\nprocess includes maintaining an open dialogue between the EIC and CM and requiring\nthe CM to bring unresolved differences to the attention of the RD, or designee, for\nresolution prior to completion of the review. However, ROE review procedures do not\nrequire that changes to proposed CAMELS ratings that are agreed to by the EIC (before\nthe ROE is signed) be documented or justified in writing\xe2\x80\x94two well-recognized internal\ncontrols to help ensure adequate support and proper approval for the changes.\n\nFurther, we found that none of the six DSC regions centrally maintains a record of all\nCAMELS ratings changes and documentation justifying and approving changes to EIC-\nproposed ratings in draft ROEs. Consequently, the regions and DSC headquarters are not\nable to track or monitor changes to ratings resulting from the ROE review process. Due\nto the absence of such centrally-maintained records, we were not able to determine the\nfrequency of, or justification and approval for, changes to EIC-proposed ratings.\n\nHowever, two regions did maintain records that were useful. Specifically, the FDIC\xe2\x80\x99s\nNew York Regional Office uses a form entitled, ROE Tracking Log For All Reports of\nExamination, which serves as a cover sheet for the draft ROE and contains various\ninformation regarding the processing of the ROE, including the EIC\xe2\x80\x99s preliminary\nCAMELS component and composite ratings. Two examples provided by the regional\noffice showed evidence of CAMELS rating changes\xe2\x80\x94specifically, the hand-written\nrevised rating. According to the New York Regional Office personnel, the tracking\nforms are maintained in the region\xe2\x80\x99s individual examination files. Although evidence of\nratings changes appears to exist at the regional office, the region does not centrally track\ninformation on ratings changes for monitoring purposes. Additionally, according to DSC\nSan Francisco Regional Office officials, the San Francisco Regional Office uses a similar\nform, the Examination Log Sheet, to record information regarding the processing of the\nROE. It too includes the CAMELS ratings as proposed by the EIC. According to\nregional officials, the form may be annotated to reflect a rating change. The one example\nthe regional office gave to us did not show evidence of a rating change.\n\nBased on the results of our work, we concluded that DSC controls over changes to EIC-\nproposed CAMELS ratings could be enhanced. Enhanced controls for tracking and\nmonitoring the justification and approval for CAMELS rating changes will better inform\nFDIC senior management of rating changes and help ensure the transparency and\nintegrity of the ratings process (Internal Controls Over Changes to Proposed\nCAMELS Ratings).\n\n\n\n\n                                             4\n\x0cINTERNAL CONTROLS OVER THE RATING REVIEW PROCESS\n\n    The draft ROE review process relies on the use of delegated authority to align risk with\n    the appropriate level of supervisory review. According to officials at each of the six DSC\n    regional offices, the primary internal control in the draft ROE review process is the\n    supervisory review function. Specifically, every draft ROE receives a supervisory review\n    by a field or regional office official, in accordance with established delegations of\n    authority, before the ROE is finalized. The draft ROE review process contains other\n    controls, including: policies and procedures related to the examination process, clear\n    guidance on the rating criteria for assigning component and composite CAMELS ratings,\n    and comprehensive training of examiner and reviewer personnel.\n\n    In assessing DSC\xe2\x80\x99s ROE review process from the time an EIC discusses the preliminary\n    ROE and CAMELS ratings with an institution\xe2\x80\x99s board, we determined that EICs\n    electronically submit the draft ROE to the regional office using a predetermined\n    distribution list. The draft ROE is then printed in hard copy by an administrative focal\n    point who then, based on the delegations of authority, distributes the ROE to either the\n    FS or the regional office CM for review and approval. The larger and more complex\n    institutions, or those institutions with noted problems, receive higher-level attention and\n    scrutiny, which can occur before presentation to the institution\xe2\x80\x99s board. Additionally,\n    ROEs of 1- and 2-rated institutions are generally reviewed and signed by the FS at the\n    field office, while ROEs for institutions with a 3 rating or higher are reviewed and signed\n    at the regional office.\n\n\nINTERNAL CONTROLS OVER CHANGES TO PROPOSED CAMELS RATINGS\n\n    DSC controls over changes to proposed CAMELS ratings could be enhanced.\n    Specifically, controls are in place to document circumstances when a reviewer changes a\n    CAMELS rating proposed by the EIC and when the EIC does not agree with the change.\n    However, DSC has not established controls to document when ratings changes are\n    agreed-upon by the EIC and CM or FS. Moreover, changes to proposed CAMELS\n    ratings are not routinely documented, justified, or tracked. Accordingly, the CAMELS\n    rating process is not as transparent as it could be.\n\n    According to DSC regional officials, changes to proposed CAMELS ratings are rare.\n    Several CMs indicated that they could recall only 2-3 changes to a proposed CAMELS\n    component or composite rating over the course of a year. According to the CM Manual,\n    reviewers are required to discuss necessary changes to the draft ROE with the EIC prior\n    to making any changes and processing the final ROE. If the EIC agrees with the\n    suggested change, the rating is changed, the review process continues, and the ROE is\n    signed. (It is important to note that where the EIC agrees with the suggested rating\n    change, there is no requirement to either obtain the approval of a higher-level official or\n    document the justification for the change.) In contrast, according to the CM Manual,\n    unresolved differences between the EIC and reviewer are required to be brought to the\n\n\n                                                 5\n\x0cattention of the RD, or designee, for resolution, thus providing an audit trail of the\ndecision-making process. Specifically, in this regard, the CM Manual states:\n\n         If the EIC does not agree to change the originally assigned rating, the CMs (with\n         the approval of the Regional Director or designee) will draft a memorandum to\n         the file to support the rating change with copies to the EIC and Field Supervisor.\n\nAlthough documentation in the form of a memorandum to the file is required, none of the\nregional officials we spoke with provided evidence of such a memorandum. Further, we\nspecifically asked DSC officials in all six regions for examples or evidence of proposed\nrating changes or memorandums of the disagreements. However, only the New York\nRegional Office could provide us documentation showing where a proposed CAMELS\nrating had been changed. Personnel from the San Francisco Regional Office gave us a\nsample Examination Log Sheet, which they stated may be annotated to reflect a\nCAMELS rating change.\n\nWe determined that all six regional offices follow the same ROE review procedures.\nHowever, the New York Regional Office augments these procedures by using an ROE\nTracking Log For All Reports of Examination, and the San Francisco Regional Office\nuses the Examination Log Sheet. In both cases, the document serves as a cover sheet for\nthe draft ROE and contains various information regarding the processing of the ROE,\nincluding the EIC\xe2\x80\x99s proposed CAMELS component and composite ratings. According to\nthe regional personnel, the forms are maintained in the region\xe2\x80\x99s individual examination\nfiles. Therefore, evidence of ratings changes may exist in the New York and San\nFrancisco Regional Offices, but those regions do not centrally track information on\nratings changes for monitoring purposes and do not document the justification and\napproval for changes. Consequently, each examination file would need to be reviewed to\ndetermine whether a particular examination included a change to the proposed CAMELS\nratings in the draft ROE.\n\nAlthough not a requirement, the EIC\xe2\x80\x99s proposed CAMELS ratings may be captured in\nseveral other documents during the report review process. According to many Assistant\nRegional Directors and CMs we interviewed, it has been a practice for DSC regional\nofficials to use the Confidential-Supervisory Section of the ROE to discuss proposed\nrating changes, particularly if there is any disagreement over the change. However, no\none provided us with examples showing a discussion of disagreements in the\nConfidential-Supervisory Section. Finally, we were told that the Report of Examination\nReview Feedback Form 4 may contain comments regarding a proposed CAMELS rating\nchange. DSC officials acknowledged, however, that this form is primarily a training or\n\n4\n  After the final ROE is issued, the FS or CM prepares a Report of Examination Review Feedback Form\n(Feedback Form), which is intended to provide constructive feedback on the ROE. According to the\ninstructions for completion, the form should give reasons for substantive report changes. The reviewer is to\nprovide constructive commentary on the strengths and weaknesses of the ROE, addressing each of the\nbroad categories included in the form. The form is routed, as appropriate, to either the Assistant Regional\nDirector or the FS. The EIC reviews the feedback form and discusses any questions, concerns, or\ndisagreements about the feedback with the FS or Supervisory Examiner. In effect, feedback promotes the\ncontinuation of high-quality reports and, when appropriate, aids EICs in improving subsequent reports.\n\n                                                     6\n\x0c      instructional tool and is not retained in either the EIC\xe2\x80\x99s personnel file or the examination\n      file.\n\n      According to regional officials, the only consistent practice among the regional offices\n      regarding the handling of proposed CAMELS rating changes seems to be that, if the\n      proposed CAMELS ratings are changed during the ROE review process, the EIC notifies\n      the bank\xe2\x80\x99s management of any rating change either orally before the final ROE is issued\n      or in the final ROE transmittal letter. If bank management chooses to challenge the\n      CAMELS ratings in the final ROE, the bank will use the FDIC\xe2\x80\x99s independent intra-\n      agency appeals process.\n\n      Although all the DSC regional officials we interviewed acknowledged that CAMELS\n      rating changes are not always documented, justified, or tracked, it is important to note\n      that there is no requirement to do so. DSC regional officials provided similar responses\n      regarding why such changes were not routinely documented or tracked. For example,\n      several officials stated that comparing the EIC\xe2\x80\x99s originally proposed CAMELS ratings\n      with the final ratings transmitted to the institution in the final ROE would be a waste of\n      time because a draft ROE is subject to changes until it becomes a final. The official went\n      on to say that the final ROE is the important outcome after much communication and\n      dialogue between the reviewer, the EIC, and other pertinent staff in order to reach\n      agreement on the final assigned CAMELS ratings; and it is the final ROE that is\n      presented to the bank.\n\n\nConclusion\n\n      According to DSC officials, changes to CAMELS ratings initially proposed by EICs,\n      though rare, do occur, and often, there is no written record of the rating change or a\n      written justification for the change. Accordingly, we concluded that DSC controls over\n      changes to EIC-proposed CAMELS ratings could be enhanced. Enhanced controls,\n      including the written justification and approval for proposed CAMELS rating changes\n      and the tracking and monitoring of such changes, will better assure that senior\n      management is informed of rating changes and help ensure the transparency and integrity\n      of the CAMELS ratings process.\n\n\nRecommendation on Improving Internal Controls\n\n      We recommend that the Director, DSC:\n\n      Revise the Case Manager Procedures Manual to require that changes made to EIC-\n      proposed CAMELS ratings in the draft ROE be centrally managed by DSC, including\n      tracking, monitoring, and maintaining the documented justification and approval for\n      changes.\n\n\n\n\n                                                    7\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\n    On August 5, 2008, the Director, DSC, provided a written response to the draft of this\n    report. Management\xe2\x80\x99s response is presented in its entirety in Appendix 3. Management\n    generally agreed with our findings and offered alternative actions to meet the intent of\n    our recommendation. A summary of management\xe2\x80\x99s response to the recommendation is\n    in Appendix 4.\n\n    In response to the recommendation, DSC stated it believes its process for deliberating and\n    resolving differences of opinion regarding EIC-proposed CAMELS ratings is strong and\n    effective. DSC further stated that it fosters an atmosphere that encourages open\n    deliberation and will continue to emphasize the importance of high quality dialogue on\n    ratings between examiners, Case Managers, and supervisors. DSC agreed that it is\n    important that raising differences with no stigma attached is vital to ensure process\n    integrity and that maintaining a procedure to document unresolved differences of opinion\n    is significant and could be enhanced.\n\n    To meet the intent of the recommendation, DSC will formalize the guidance to staff on\n    the required method for documenting unresolved differences related to final CAMELS\n    ratings. DSC will also develop a method to track those instances. DSC stated that it will\n    complete these actions by June 30, 2009.\n\n    DSC\xe2\x80\x99s planned actions are potentially responsive to our recommendation. Specifically,\n    we agree that DSC actions can substantially meet the intent of our recommendation to\n    ensure process integrity through emphasizing open deliberation and high-quality dialogue\n    on ratings and recognition of the importance of raising differences with no stigma\n    attached. Concerning transparency, proposed actions to document and track unresolved\n    differences can help keep FDIC management informed of the justification and approval\n    for ratings changes. We continue to believe that there is value in maintaining a record\n    when there are changes to an EIC-proposed rating even when the EIC does not ultimately\n    contest that change. Such records would enable higher-level management to detect any\n    pattern of changes within a given area during the course of DSC\xe2\x80\x99s periodic field\n    oversight, and we suggest that DSC also consider requiring such a record during the\n    course of formalizing its guidance in this area. Nevertheless, the recommendation is\n    considered resolved but will remain open until we determine that the agreed-to corrective\n    actions have been completed and are responsive.\n\n    Further, in its response, DSC provided clarifying information concerning the examination\n    process where CAMELS ratings of 3, 4, or 5 are being deliberated. In these cases, the\n    EIC consults extensively with responsible Case Managers, supervisors, and Subject\n    Matter Experts regarding both ratings and supervisory actions. Our report noted that\n    larger or more complex institutions or those with problems resulting in higher ratings\n    receive increased scrutiny. We made modifications to our report, as appropriate, to\n    reflect this additional information.\n\n\n\n\n                                                8\n\x0c                                                                                                  APPENDIX 1\n                             OBJECTIVE, SCOPE, AND METHODOLOGY\n\n\nObjective\n\n      The objective of this audit was to assess the internal controls the FDIC has established\n      over the CAMELS rating system for reviewing and changing proposed ratings included\n      in draft risk management ROEs. We conducted this performance audit from February\n      through May 2008 in accordance with generally accepted government auditing standards.\n      Those standards require that we plan and perform the audit to obtain sufficient and\n      appropriate evidence to provide a reasonable basis for our findings and conclusions based\n      on our audit objectives. We believe that the evidence obtained provides a reasonable\n      basis for our findings and conclusions based on our audit objective.\n\n\nScope and Methodology\n\n      We reviewed FDIC policies and procedures manuals related to the ROE review process.\n      We interviewed a DSC Risk Management and Applications Section Chief from DSC\xe2\x80\x99s\n      Washington Office regarding the ratings appeals process, an Associate Ombudsman from\n      DSC\xe2\x80\x99s Washington Office, and the Dallas Regional Office Ombudsman.\n\n      We performed our test work in the Dallas Regional Office where we interviewed the\n      DSC Risk Management Deputy Regional Director, Assistant Regional Director (ARD),\n      several CMs, a DSC FS, a Supervisory Examiner, and an administrative assistant who\n      handles the electronic reporting requirements. We received a DSC listing of all risk\n      management ROEs completed in 2006 and 2007 for FDIC-supervised institutions, by\n      regional office. The list showed 7,831 ROEs: 4,049 ROEs for 2006, and 3,782 ROEs for\n      2007. The Dallas Regional Office issued 409 ROEs in 2007. We judgmentally selected\n      a non-statistical sample 5 of four recently completed Dallas Regional Office ROEs for\n      review. Specifically, for each ROE, we looked at the Confidential-Supervisory Section\n      for pertinent comments about the CAMELS ratings and the proper use of delegated\n      authority. We also reviewed the examination files for each of the four financial\n      institutions, looking for evidence or documentation that CAMELS rating changes may\n      have occurred. We then focused our audit work on interviewing responsible DSC risk\n      management officials in the other regional offices.\n\n      We consulted with the DSC Internal Control Review (ICR) Section and selected two\n      additional DSC Regional Offices for site visits\xe2\x80\x94Atlanta and San Francisco. Where\n      pertinent, we looked at the bank examination files. We held telephone conference calls\n      with DSC officials in the other three regional offices\xe2\x80\x94Chicago, Kansas City, and New\n      York. We made arrangements through the headquarters ICR to interview appropriate risk\n      management CMs, ARDs, and several Deputy Regional Directors. We assessed the\n      activities associated with the receipt of the EIC\xe2\x80\x99s draft ROE and subsequent field,\n      regional, and headquarters review efforts leading to the final ROE. This included a\n      review of the CM functions, supervisory oversight of the examination and reporting\n\n      5\n        The results of a non-statistical sample cannot be projected to the intended population by standard\n      statistical methods.\n\n                                                            9\n\x0c                                                                                APPENDIX 1\n\n\n      process, and the use of management monitoring tools/reports. We also reviewed\n      pertinent DSC ICR reports on each DSC regional office.\n\n\n      Internal Control\n\n      To obtain an understanding of the FDIC risk management examination and reporting\n      processes, we reviewed relevant FDIC and DSC policies and guidelines, including the:\n\n          \xe2\x80\xa2   FDIC\xe2\x80\x99s Risk Management Manual of Examination Policies, Section 16.1, Report\n              of Examination Instructions\n\n          \xe2\x80\xa2   FDIC\xe2\x80\x99s Case Manager Procedures Manual, Section 3.1, FDIC Full Scope\n              Reports\n\n          \xe2\x80\xa2   DSC Director\xe2\x80\x99s Memorandum, Report of Examination Review Feedback, Form\n              6600-53, dated August 26, 2004\n\n          \xe2\x80\xa2   DSC Directors Memorandum, Administration of Delegations of Authority, dated\n              May 27, 2005\n\n          \xe2\x80\xa2   DSC Director\xe2\x80\x99s Memorandum, Relationship Manager Program Implementation,\n              dated September 30, 2005\n\n          \xe2\x80\xa2   DSC Memorandum, Internal Control and Review Section, Structure and Internal\n              Review Changes, dated February 8, 2006\n\n          \xe2\x80\xa2   RD Memorandum ROA-06-014, Delegations of Authority to Sign Supervision,\n              Compliance, and Applications Documents, dated October 13, 2006\n\n          \xe2\x80\xa2   RD Memorandum RO-07-019, Examiner Call-in Memorandum, dated August 28,\n              2007\n\n      We also obtained an understanding of the internal controls appropriate and pertinent to\n      reporting, supervisory oversight, and the handling of financial institution complaints as\n      outlined in the above DSC policies and procedures. We flowcharted the various\n      processes and identified the key internal controls. Finally, we reviewed U.S. Government\n      Accountability Office (GAO) Standards for Internal Control in the Federal Government\n      and GAO\xe2\x80\x99s Internal Control Management and Evaluation Tool.\n\n\nReliance on Computer-processed Information\n\n      For purposes of the audit, we did not rely on computer-processed information to support\n      our significant findings, conclusions, or recommendations. Our assessment centered on\n      reviews of ROEs from the time the EIC prepares the ROE, using the GENESYS report\n\n                                                 10\n\x0c                                                                                               APPENDIX 1\n\n\n      platform, and forwards the ROE, using Outlook, to the region for review. 6 Accordingly,\n      we did not consider it necessary to develop procedures to assess the reliability of data\n      stored in GENESYS.\n\n\nPerformance Measurement\n\n      We reviewed annual performance plans and FDIC strategic plans to identify goals,\n      objectives, and results and determine whether the Corporation has (1) established\n      quantifiable performance measures and (2) developed and analyzed data to assess\n      program, project, or function performance related to conducting periodic risk\n      management examinations.\n\n      In its 2008 Annual Performance Plan, the FDIC has a strategic goal that FDIC-\n      supervised institutions are safe and sound and a strategic objective that FDIC-supervised\n      institutions appropriately manage risks. The plan also contains an annual performance\n      goal to conduct on-site risk management examinations to assess the overall financial\n      condition, management practices and policies, and compliance with applicable laws and\n      regulations of FDIC-supervised depository institutions. These strategic goals and\n      objectives do not directly relate to control over the CAMELS rating review process.\n\n      In addition, we reviewed the FDIC\xe2\x80\x99s 2005-2010 Strategic Plan, 2007 Annual\n      Performance Plan, 2008 Strategic Priorities, and 2008 Corporate Performance\n      Objectives.\n\n\nCompliance With Laws and Regulations\n\n      We reviewed applicable laws and regulations related to the FDIC\xe2\x80\x99s conduct of on-site\n      risk management examinations of each FDIC-supervised institution. We found no\n      instances where the FDIC was not in compliance with applicable laws and regulations.\n\n      We assessed the risk of fraud and abuse related to the audit objective in the course of\n      evaluating audit evidence.\n\n\nPrior Coverage\n\n      In March 2004, we issued Audit Report No. 04-015 entitled, Division of Supervision and\n      Consumer Protection\xe2\x80\x99s Supervisory Appeals Process. The overall objective of the audit\n      initially was to determine whether DSC followed appropriate procedures in upgrading a\n      preliminary examination component rating of an institution and in processing the\n\n      6\n        GENESYS is an interagency automated product for bank examination. The GENESYS application is\n      generally used to plan the examination, analyze the financial condition of the bank, review management's\n      involvement in the bank operations, and develop the ROE. The GENESYS information is transmitted to\n      the Interagency Examination Repository via the Examination Transmittal Outlook process for the FDIC.\n\n                                                          11\n\x0c                                                                             APPENDIX 1\n\n\ninstitution\xe2\x80\x99s appeal of its final safety and soundness examination ratings. The Office of\nInspector General (OIG) determined that the DSC regional office complied with\nprocedures related to upgrading a preliminary examination component rating. Consistent\nwith those procedures, FDIC and state examiners held discussions with bank\nmanagement regarding its concerns with the preliminary ratings during the course of the\nexamination. In addition, the Regional Director acted within delegated authority when\nchanging the preliminary component rating. However, with respect to the bank\xe2\x80\x99s formal\nappeal of the final examination ratings, the appeals procedures did not require an\nindependent DSC analysis of examination information relevant to an appeals case when\ncritical examination findings are not fully supported. Further, DSC did not fully\ncoordinate with the state regulatory authority throughout the appeals process, even\nthough the examination was conducted jointly. Finally, during the appeals process, both\nthe DSC regional and Washington offices had considered information on institution\nactions implemented after the timeframe covered by the examination, which is contrary\nto FDIC policy.\n\nThe OIG recommended that DSC enhance and enforce current appeals procedures for\nmaterial supervisory determinations to help ensure that the FDIC appeals process is\nadministered in a fair, efficient, and effective manner and that fully informed decisions\nare made that are reflective of the merits of the case at the time of the supervisory\ndetermination.\n\n\n\n\n                                             12\n\x0c                                                                               APPENDIX 2\n                 RISK MANAGEMENT EXAMINATION PROCESS\n\n\nThe purpose of conducting a risk management examination is to assess an institution\xe2\x80\x99s\noverall financial condition, review management practices and policies, monitor adherence\nwith banking laws and regulations, review internal control systems, identify risks, and\nuncover fraud or insider abuse. This examination process is articulated in DSC\xe2\x80\x99s Risk\nManagement Manual of Examination Policies. The overall outcome is the\nCAMELS/composite rating for a particular financial institution.\n\nThe FDIC\xe2\x80\x99s risk management safety and soundness examinations consist of three parts:\npre-examination planning (PEP), on-site examination, and completion of the ROE. Pre-\nexamination planning generally takes place off-site at the field office, where the EIC\ncompletes an analysis and review of the institution, contacts the institution for financial\nrecords, and develops an examination work plan. During this stage, the EIC decides on\nareas that need special attention and on the work that will be done first. The EIC\nprepares a PEP memorandum to document the initial conclusions relative to the perceived\nrisk an institution poses and the examination procedures that will be used. Examination\ninstructions tell the examiner to summarize significant discussion topics, such as risk\nareas; management\xe2\x80\x99s concerns regarding economic conditions; and any other data\nmeaningful to the examiner\xe2\x80\x99s efforts to allocate examination resources. Also, the PEP\nmemorandum should mention targeted risk areas, specifying areas with more than normal\nrisk to which the EIC intends to devote additional or \xe2\x80\x9cabove-normal\xe2\x80\x9d examination\nresources; and the proposed loan scope, with emphasis on risk areas within the portfolio\nwhere the loan file review will be concentrated.\n\nOnce on-site at the institution, the examiners concentrate on the institution\xe2\x80\x99s asset quality,\nfinancial condition, and operations. Additionally, the examination team evaluates the\ninstitution\xe2\x80\x99s adherence to banking laws and regulations, the adequacy of the institution\xe2\x80\x99s\ninternal controls and procedures, and the capability of management reporting systems to\nprovide reliable and accurate data. At the end of the examination cycle, the EIC prepares\na consolidated report using the GENESYS report platform. The ROE is intended to\nfactually present the institution\xe2\x80\x99s condition, identify problems, provide management with\nsuggestions and recommendations, and disclose the examination ratings. The ROE, in\nother words, documents the results of the examination and the basis on which the\ncomposite rating was determined.\n\nPrior to the exit meeting with the financial institution, the EIC, under certain conditions,\nis required to prepare an Examiner Call-In Memorandum to alert the appropriate regional\nCM and ARD of pending examination results. Specifically, regional management must\nbe informed if the:\n\n   \xe2\x80\xa2   institution is currently assigned a composite rating of a 3 or worse;\n   \xe2\x80\xa2   EIC plans to downgrade an institution to a rating of a 3 or worse;\n   \xe2\x80\xa2   bank is operating pursuant to an outstanding corrective action plan;\n   \xe2\x80\xa2   examination has identified unusual or complex matters that warrant the attention\n       and oversight of regional management; and\n\n\n                                             13\n\x0c                                                                               APPENDIX 2\n\n\n   \xe2\x80\xa2   examination identified concerns of such magnitude as to warrant a downgrade in\n       the management or composite rating of the bank to a 3 or worse.\n\nSubsequent to submission of the memorandum, the EIC is instructed to call the CM or\nARD to discuss the preliminary findings and proposed CAMELS ratings prior to meeting\nwith institution management where the findings/ratings would be discussed so as to allow\nfor the possibility of a representative from regional management to attend the exit and or\nboard meeting.\n\nThe EIC holds an exit conference with the institution\xe2\x80\x99s senior management and board of\ndirectors to discuss the preliminary examination results and CAMELS ratings. At the\nexit meeting with the financial institution, the preliminary CAMELS ratings are\ndiscussed. Bank officials are informed that these CAMELS ratings are preliminary and\nsubject to the review and approval by FDIC management.\n\nThe EIC\xe2\x80\x99s draft ROE is submitted, using Outlook, to the Regional Office for review and\napproval. The ROE is received by the administrative staff and downloaded into hard\ncopy format for supervisory review. Typically, the field office reviews those financial\ninstitutions that have composite 1 and 2 ratings, less than $10 billion in assets, less than a\n3 rating for management, and fewer than two 3-rated components. All other ROEs are\nreviewed at the regional office level. According to DSC regional officials, if the\nCAMELS ratings are changed during the regional office review, the EIC notifies the\nbank\xe2\x80\x99s management of the rating change either orally before issuance of the final ROE or\nin the final ROE transmittal letter. If bank management chooses to challenge the\nCAMELS ratings in the final ROE, the bank will use the FDIC\xe2\x80\x99s independent intra-\nagency appeals process.\n\n\n\n\n                                              14\n\x0c\x0c     APPENDIX 3\n\n\n\n\n16\n\x0c                                                      APPENDIX 4\n                 MANAGEMENT RESPONSE TO RECOMMENDATION\n\n\nThis table presents the management response on the recommendation in our report and\nthe status of the recommendation as of the date of report issuance.\n\n\n    Corrective Action: Taken or          Expected       Monetary       Resolved:a        Open or\n          Planned for the               Completion      Benefits       Yes or No         Closedb\n         Recommendation                    Date\nDSC will formalize the guidance to     June 30, 2009         $0       Yes             Open\nstaff on the required method for\ndocumenting unresolved\ndifferences related to final\nCAMELS ratings. Further, DSC\nwill develop a method to track\nthose instances.\n\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                    corrective action is consistent with the recommendation.\n              (2) Management does not concur with the recommendation, but alternative action meets the\n                   intent of the recommendation.\n              (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n  Once the OIG determines that the agreed-upon corrective actions have been completed and are responsive\nto the recommendation, the recommendation can be closed.\n\n\n\n\n                                                   17\n\x0c                                                              APPENDIX 5\n          ACRONYMS USED IN THE REPORT\n\n\nARD       Assistant Regional Director\nCAMELS    Capital, the quality of Assets, the capability of Management, the\n          quality and level of Earnings, the adequacy of Liquidity, and the\n          Sensitivity to market risk\nCM        Case Manager\nDSC       Division of Supervision and Consumer Protection\nEIC       Examiner-in-Charge\nFDI Act   Federal Deposit Insurance Act\nFFIEC     Federal Financial Institutions Examination Council\nFS        Field Supervisor\nFRB       Federal Reserve Board\nGAO       Government Accountability Office\nGENESYS   General Examination System\nICR       Internal Control Review\nOIG       Office of Inspector General\nPEP       Pre-Examination Planning\nRD        Regional Director\nROE       Report of Examination\nUFIRS     Uniform Financial Institutions Rating System\n\n\n\n\n                              18\n\x0c"